<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
	<title>Delegate PKI authentication API | ElasticSearch 7.7 权威指南中文版</title>
	<meta name="keywords" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <meta name="description" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
	<link rel="stylesheet" type="text/css" href="../static/styles.css" />
	<script>
	var _link = 'security-api-delegate-pki-authentication.html';
    </script>
</head>
<body>
<div class="main-container">
    <section id="content">
        <div class="content-wrapper">
            <section id="guide" lang="zh_cn">
                <div class="container">
                    <div class="row">
                        <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                            <div style="color:gray; word-break: break-all; font-size:12px;">原英文版地址: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/7.7/security-api-delegate-pki-authentication.html" rel="nofollow" target="_blank">https://www.elastic.co/guide/en/elasticsearch/reference/7.7/security-api-delegate-pki-authentication.html</a>, 原文档版权归 www.elastic.co 所有<br/>本地英文版地址: <a href="../en/security-api-delegate-pki-authentication.html" rel="nofollow" target="_blank">../en/security-api-delegate-pki-authentication.html</a></div>
                        <!-- start body -->
                  <div class="page_header">
<strong>重要</strong>: 此版本不会发布额外的bug修复或文档更新。最新信息请参考 <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html" rel="nofollow">当前版本文档</a>。
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="rest-apis.html">REST APIs</a></span>
»
<span class="breadcrumb-link"><a href="security-api.html">Security APIs</a></span>
»
<span class="breadcrumb-node">Delegate PKI authentication API</span>
</div>
<div class="navheader">
<span class="prev">
<a href="security-api-put-user.html">« Create or update users API</a>
</span>
<span class="next">
<a href="security-api-delete-privilege.html">Delete application privileges API »</a>
</span>
</div>
<div class="section xpack">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="security-api-delegate-pki-authentication"></a>Delegate PKI authentication API<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/rest-api/security/delegate-pki-authentication.asciidoc">edit</a><a class="xpack_tag" href="https://www.elastic.co/subscriptions"></a>
</h2>
</div></div></div>

<p>Implements the exchange of an <em>X509Certificate</em> chain into an Elasticsearch access
token.</p>
<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="security-api-delegate-pki-authentication-request"></a>Request<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/rest-api/security/delegate-pki-authentication.asciidoc">edit</a>
</h3>
</div></div></div>
<p><code class="literal">POST /_security/delegate_pki</code></p>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="security-api-delegate-pki-authentication-prereqs"></a>Prerequisites<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/rest-api/security/delegate-pki-authentication.asciidoc">edit</a>
</h3>
</div></div></div>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
To call this API, the (proxy) user must have the <code class="literal">delegate_pki</code> or the <code class="literal">all</code>
cluster privilege. The <code class="literal">kibana_system</code> built-in role already grants this
privilege. See <a class="xref" href="security-privileges.html" title="Security privileges">Security privileges</a>.
</li>
</ul>
</div>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="security-api-delegate-pki-authentication-desc"></a>Description<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/rest-api/security/delegate-pki-authentication.asciidoc">edit</a>
</h3>
</div></div></div>
<p>This API implements the exchange of an <em>X509Certificate</em> chain for an Elasticsearch
access token. The certificate chain is validated, according to RFC 5280, by
sequentially considering the trust configuration of every installed PKI realm
that has <code class="literal">delegation.enabled</code> set to <code class="literal">true</code> (default is <code class="literal">false</code>). A
successfully trusted client certificate is also subject to the validation of
the subject distinguished name according to that respective’s realm
<code class="literal">username_pattern</code>.</p>
<p>This API is called by <span class="strong strong"><strong>smart</strong></span> and <span class="strong strong"><strong>trusted</strong></span> proxies, such as Kibana, which
terminate the user’s TLS session but still want to authenticate the user
by using a PKI realm—​as if the user connected directly to Elasticsearch. For more
details, see <a class="xref" href="pki-realm.html#pki-realm-for-proxied-clients" title="PKI authentication for clients connecting to Kibana">PKI authentication for clients connecting to Kibana</a>.</p>
<div class="important admon">
<div class="icon"></div>
<div class="admon_content">
<p>The association between the subject public key in the target
certificate and the corresponding private key is <span class="strong strong"><strong>not</strong></span> validated. This is part
of the TLS authentication process and it is delegated to the proxy that calls
this API. The proxy is <span class="strong strong"><strong>trusted</strong></span> to have performed the TLS authentication and
this API translates that authentication into an Elasticsearch access token.</p>
</div>
</div>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="security-api-delegate-pki-authentication-request-body"></a>Request body<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/rest-api/security/delegate-pki-authentication.asciidoc">edit</a>
</h3>
</div></div></div>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">x509_certificate_chain</code>
</span>
</dt>
<dd>
<p>
(Required, list of strings) The <em>X509Certificate</em> chain, which is represented as
an ordered string array. Each string in the array is a base64-encoded
(Section 4 of RFC4648 - not base64url-encoded) of the certificate’s DER encoding.
</p>
<p>The first element is the target certificate contains the subject distinguished
name that is requesting access. This may be followed by additional certificates;
each subsequent certificate is used to certify the previous one.</p>
</dd>
</dl>
</div>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="security-api-delegate-pki-authentication-response-body"></a>Response body<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/rest-api/security/delegate-pki-authentication.asciidoc">edit</a>
</h3>
</div></div></div>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">access_token</code>
</span>
</dt>
<dd>
(string) An access token associated to the subject distinguished name of the
client’s certificate.
</dd>
<dt>
<span class="term">
<code class="literal">expires_in</code>
</span>
</dt>
<dd>
(time units) The amount of time (in seconds) that the token expires in.
</dd>
<dt>
<span class="term">
<code class="literal">type</code>
</span>
</dt>
<dd>
(string) The type of token.
</dd>
</dl>
</div>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="security-api-delegate-pki-authentication-example"></a>Examples<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/rest-api/security/delegate-pki-authentication.asciidoc">edit</a>
</h3>
</div></div></div>
<p>The following is an example request:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">POST /_security/delegate_pki
{
  "x509_certificate_chain": ["MIIDbTCCAlWgAwIBAgIJAIxTS7Qdho9jMA0GCSqGSIb3DQEBCwUAMFMxKzApBgNVBAMTIkVsYXN0aWNzZWFyY2ggVGVzdCBJbnRlcm1lZGlhdGUgQ0ExFjAUBgNVBAsTDUVsYXN0aWNzZWFyY2gxDDAKBgNVBAoTA29yZzAeFw0xOTA3MTkxMzMzNDFaFw0yMzA3MTgxMzMzNDFaMEoxIjAgBgNVBAMTGUVsYXN0aWNzZWFyY2ggVGVzdCBDbGllbnQxFjAUBgNVBAsTDUVsYXN0aWNzZWFyY2gxDDAKBgNVBAoTA29yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANHgMX2aX8t0nj4sGLNuKISmmXIYCj9RwRqS7L03l9Nng7kOKnhHu/nXDt7zMRJyHj+q6FAt5khlavYSVCQyrDybRuA5z31gOdqXerrjs2OXS5HSHNvoDAnHFsaYX/5geMewVTtc/vqpd7Ph/QtaKfmG2FK0JNQo0k24tcgCIcyMtBh6BA70yGBM0OT8GdOgd/d/mA7mRhaxIUMNYQzRYRsp4hMnnWoOTkR5Q8KSO3MKw9dPSpPe8EnwtJE10S3s5aXmgytru/xQqrFycPBNj4KbKVmqMP0G60CzXik5pr2LNvOFz3Qb6sYJtqeZF+JKgGWdaTC89m63+TEnUHqk0lcCAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQU/+aAD6Q4mFq1vpHorC25/OY5zjcwHwYDVR0jBBgwFoAU8siFCiMiYZZm/95qFC75AG/LRE0wDQYJKoZIhvcNAQELBQADggEBAIRpCgDLpvXcgDHUk10uhxev21mlIbU+VP46ANnCuj0UELhTrdTuWvO1PAI4z+WbDUxryQfOOXO9R6D0dE5yR56L/J7d+KayW34zU7yRDZM7+rXpocdQ1Ex8mjP9HJ/Bf56YZTBQJpXeDrKow4FvtkI3bcIMkqmbG16LHQXeG3RS4ds4S4wCnE2nA6vIn9y+4R999q6y1VSBORrYULcDWxS54plHLEdiMr1vVallg82AGobS9GMcTL2U4Nx5IYZG7sbTk3LrDxVpVg/S2wLofEdOEwqCeHug/iOihNLJBabEW6z4TDLJAVW5KCY1DfhkYlBfHn7vxKkfKoCUK/yLWWI="] <a id="CO658-1"></a><i class="conum" data-value="1"></i>
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/2079.console"></div>
<div class="calloutlist">
<table border="0" summary="Callout list">
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO658-1"><i class="conum" data-value="1"></i></a></p>
</td>
<td align="left" valign="top">
<p>A one element certificate chain.</p>
</td>
</tr>
</table>
</div>
<p>Which returns the following response:</p>
<div class="pre_wrapper lang-console-result">
<pre class="programlisting prettyprint lang-console-result">{
  "access_token" : "dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==",
  "type" : "Bearer",
  "expires_in" : 1200
}</pre>
</div>
</div>

</div>
<div class="navfooter">
<span class="prev">
<a href="security-api-put-user.html">« Create or update users API</a>
</span>
<span class="next">
<a href="security-api-delete-privilege.html">Delete application privileges API »</a>
</span>
</div>
</div>

                  <!-- end body -->
                        </div>
                        <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                        
                        </div>
                    </div>
                </div>
            </section>
        </div>
    </section>
</div>
<script src="../static/cn.js"></script>
</body>
</html>